From db70ab8f7d0fac21228f345f238b1527f1e15a25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Dr=C3=B6scher?= Date: Sun, 29 Jul 2018 12:07:54 +0200 Subject: [PATCH] change: remove broken legic simulator It will be rewritten in a later commit --- armsrc/legicrf.c | 338 +---------------------------------------------- 1 file changed, 2 insertions(+), 336 deletions(-) diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index 035e01e98..e0475bc9b 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -41,37 +41,8 @@ static int legic_reqresp_drift; #define TAG_BIT_PERIOD 142 // 100us == 100 * 1.5 == 150ticks #define TAG_FRAME_WAIT 495 // 330us from READER frame end to TAG frame start. 330 * 1.5 == 495 -#define RWD_TIME_FUZZ 20 // rather generous 13us, since the peak detector + hysteresis fuzz quite a bit - -#define SIM_DIVISOR 586 /* prng_time/SIM_DIVISOR count prng needs to be forwared */ -#define SIM_SHIFT 900 /* prng_time+SIM_SHIFT shift of delayed start */ - #define OFFSET_LOG 1024 -#define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz))) - -#ifndef SHORT_COIL -# define SHORT_COIL LOW(GPIO_SSC_DOUT); -#endif -#ifndef OPEN_COIL -# define OPEN_COIL HIGH(GPIO_SSC_DOUT); -#endif -#ifndef LINE_IN -# define LINE_IN AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; -#endif -// Pause pulse, off in 20us / 30ticks, -// ONE / ZERO bit pulse, -// one == 80us / 120ticks -// zero == 40us / 60ticks -#ifndef COIL_PULSE -# define COIL_PULSE(x) \ - do { \ - SHORT_COIL; \ - WaitTicks( (RWD_TIME_PAUSE) ); \ - OPEN_COIL; \ - WaitTicks((x)); \ - } while (0); -#endif // ToDo: define a meaningful maximum size for auth_table. The bigger this is, the lower will be the available memory for traces. // Historically it used to be FREE_BUFFER_SIZE, which was 2744. @@ -121,33 +92,8 @@ uint32_t get_key_stream(int skip, int count) { return legic_prng_get_bits(count); } -/* Send a frame in tag mode, the FPGA must have been set up by - * LegicRfSimulate - */ -void frame_send_tag(uint16_t response, uint8_t bits) { - uint16_t mask = 1; - - /* Bitbang the response */ - SHORT_COIL; - AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; - AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT; - /* TAG_FRAME_WAIT -> shift by 2 */ - legic_prng_forward(3); - response ^= legic_prng_get_bits(bits); - - /* Wait for the frame start */ - WaitTicks( TAG_FRAME_WAIT ); - - for (; mask < BITMASK(bits); mask <<= 1) { - if (response & mask) - OPEN_COIL - else - SHORT_COIL - WaitTicks(TAG_BIT_PERIOD); - } - SHORT_COIL; } /* Send a frame in reader mode, the FPGA must have been set up by @@ -571,292 +517,12 @@ OUT: LEDsoff(); } -/* Handle (whether to respond) a frame in tag mode - * Only called when simulating a tag. - */ -static void frame_handle_tag(struct legic_frame const * const f) -{ - // log - //uint8_t cmdbytes[] = {bits, BYTEx(data, 0), BYTEx(data, 1)}; - //LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, false); - //Dbprintf("ICE: enter frame_handle_tag: %02x ", f->bits); - - /* First Part of Handshake (IV) */ - if(f->bits == 7) { - - LED_C_ON(); - - // Reset prng timer - //ResetTimer(prng_timer); - ResetTicks(); - - // IV from reader. - legic_prng_init(f->data); - - Dbprintf("ICE: IV: %02x ", f->data); - - // We should have three tagtypes with three different answers. - legic_prng_forward(2); - //frame_send_tag(0x3d, 6); /* MIM1024 0x3d^0x26 = 0x1B */ - frame_send_tag(0x1d, 6); // MIM256 - - legic_state = STATE_IV; - legic_read_count = 0; - legic_prng_bc = 0; - legic_prng_iv = f->data; - - //ResetTimer(timer); - //WaitUS(280); - WaitTicks(388); - return; - } - - /* 0x19==??? */ - if(legic_state == STATE_IV) { - uint32_t local_key = get_key_stream(3, 6); - int xored = 0x39 ^ local_key; - if((f->bits == 6) && (f->data == xored)) { - legic_state = STATE_CON; - - ResetTimer(timer); - WaitTicks(300); - return; - - } else { - legic_state = STATE_DISCON; - LED_C_OFF(); - Dbprintf("iv: %02x frame: %02x key: %02x xored: %02x", legic_prng_iv, f->data, local_key, xored); - return; - } - } - - /* Read */ - if(f->bits == 11) { - if(legic_state == STATE_CON) { - uint32_t key = get_key_stream(2, 11); //legic_phase_drift, 11); - uint16_t addr = f->data ^ key; - addr >>= 1; - uint8_t data = cardmem[addr]; - - uint32_t crc = legic4Crc(LEGIC_READ, addr, data, 11) << 8; - - //legic_read_count++; - //legic_prng_forward(legic_reqresp_drift); - - frame_send_tag(crc | data, 12); - //ResetTimer(timer); - legic_prng_forward(2); - WaitTicks(330); - return; - } - } - - /* Write */ - if (f->bits == 23 || f->bits == 21 ) { - uint32_t key = get_key_stream(-1, 23); //legic_frame_drift, 23); - uint16_t addr = f->data ^ key; - addr >>= 1; - addr &= 0x3ff; - uint32_t data = f->data ^ key; - data >>= 11; - data &= 0xff; - - cardmem[addr] = data; - /* write command */ - legic_state = STATE_DISCON; - LED_C_OFF(); - Dbprintf("write - addr: %x, data: %x", addr, data); - // should send a ACK after 3.6ms - return; - } - - if(legic_state != STATE_DISCON) { - Dbprintf("Unexpected: sz:%u, Data:%03.3x, State:%u, Count:%u", f->bits, f->data, legic_state, legic_read_count); - Dbprintf("IV: %03.3x", legic_prng_iv); - } - - legic_state = STATE_DISCON; - legic_read_count = 0; - WaitMS(10); - LED_C_OFF(); - return; } -/* Read bit by bit untill full frame is received - * Call to process frame end answer - */ -static void emit(int bit) { - - switch (bit) { - case 1: - frame_append_bit(¤t_frame, 1); - break; - case 0: - frame_append_bit(¤t_frame, 0); - break; - default: - if(current_frame.bits <= 4) { - frame_clean(¤t_frame); - } else { - frame_handle_tag(¤t_frame); - frame_clean(¤t_frame); - } - WDT_HIT(); - break; - } } -void LegicRfSimulate(int phase, int frame, int reqresp) -{ - /* ADC path high-frequency peak detector, FPGA in high-frequency simulator mode, - * modulation mode set to 212kHz subcarrier. We are getting the incoming raw - * envelope waveform on DIN and should send our response on DOUT. - * - * The LEGIC RF protocol is pulse-pause-encoding from reader to card, so we'll - * measure the time between two rising edges on DIN, and no encoding on the - * subcarrier from card to reader, so we'll just shift out our verbatim data - * on DOUT, 1 bit is 100us. The time from reader to card frame is still unclear, - * seems to be 330us. - */ - - int old_level = 0, active = 0; - volatile int32_t level = 0; - - legic_state = STATE_DISCON; - legic_phase_drift = phase; - legic_frame_drift = frame; - legic_reqresp_drift = reqresp; - - - /* to get the stream of bits from FPGA in sim mode.*/ - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - // Set up the synchronous serial port - //FpgaSetupSsc(); - // connect Demodulated Signal to ADC: - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K); - //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION); - - #define LEGIC_DMA_BUFFER 256 - // The DMA buffer, used to stream samples from the FPGA - //uint8_t *dmaBuf = BigBuf_malloc(LEGIC_DMA_BUFFER); - //uint8_t *data = dmaBuf; - // Setup and start DMA. - // if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, LEGIC_DMA_BUFFER) ){ - // if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); - // return; - // } - - //StartCountSspClk(); - /* Bitbang the receiver */ - AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN; - AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; - - // need a way to determine which tagtype we are simulating - - // hook up emulator memory - cardmem = BigBuf_get_EM_addr(); - - clear_trace(); - set_tracing(true); - - crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0); - - StartTicks(); - - LED_B_ON(); - DbpString("Starting Legic emulator, press button to end"); - - /* - * The mode FPGA_HF_SIMULATOR_MODULATE_212K works like this. - * - A 1-bit input to the FPGA becomes 8 pulses on 212kHz (fc/64) (18.88us). - * - A 0-bit input to the FPGA becomes an unmodulated time of 18.88us - * - * In this mode the SOF can be written as 00011101 = 0x1D - * The EOF can be written as 10111000 = 0xb8 - * A logic 1 is 01 - * A logic 0 is 10 - volatile uint8_t b; - uint8_t i = 0; - while( !BUTTON_PRESS() ) { - WDT_HIT(); - - // not sending anything. - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; - } - - // receive - if ( AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY ) { - b = (uint8_t) AT91C_BASE_SSC->SSC_RHR; - bd[i] = b; - ++i; - // if(OutOfNDecoding(b & 0x0f)) - // *len = Uart.byteCnt; - } - - } - */ - - while(!BUTTON_PRESS() && !usb_poll_validate_length()) { - - level = !!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN); - - uint32_t time = GET_TICKS; - - if (level != old_level) { - if (level == 1) { - - //Dbprintf("start, %u ", time); - StartTicks(); - // did we get a signal - if (FUZZ_EQUAL(time, RWD_TIME_1, RWD_TIME_FUZZ)) { - // 1 bit - emit(1); - active = 1; - LED_A_ON(); - } else if (FUZZ_EQUAL(time, RWD_TIME_0, RWD_TIME_FUZZ)) { - // 0 bit - emit(0); - active = 1; - LED_A_ON(); - } else if (active) { - // invalid - emit(-1); - active = 0; - LED_A_OFF(); - } - } - } - - - /* Frame end */ - if(time >= (RWD_TIME_1 + RWD_TIME_FUZZ) && active) { - emit(-1); - active = 0; - LED_A_OFF(); - } - - /* - * Disable the counter, Then wait for the clock to acknowledge the - * shutdown in its status register. Reading the SR has the - * side-effect of clearing any pending state in there. - */ - //if(time >= (20*RWD_TIME_1) && (timer->TC_SR & AT91C_TC_CLKSTA)) - if(time >= (20 * RWD_TIME_1) ) - StopTicks(); - - old_level = level; - WDT_HIT(); } - WDT_HIT(); - DbpString("LEGIC Prime emulator stopped"); - switch_off_tag_rwd(); - FpgaDisableSscDma(); - LEDsoff(); - cmd_send(CMD_ACK, 1, 0, 0, 0, 0); +void LegicRfSimulate(int phase, int frame, int reqresp) { + cmd_send(CMD_ACK, 0, 0, 0, 0, 0); //TODO Implement } -} - -} \ No newline at end of file